‘Zero-Day’ Vulnerabilities for Microsoft Exchange

Microsoft Building

Recently, our team has discovered two new vulnerabilities to Microsoft Exchange. Both of these “zero-day” threats have, until recently, flown under the radar of most IT professionals. Even worse, both vulnerabilities can be exploited in tandem to gain access to or complete control of a target’s system.
The first threat is known as “CVE-2022-41040” and is categorized as a server-side request forgery (SSRF). SSRFs allow attackers to control the server-side application, which they use to make requests to an unintended location. Malicious actors can use this type of vulnerability to connect to private internal networks within an organization’s infrastructure to steal information.

The second threat is “CVE-2022-41082”, which is categorized as a PowerShell privilege escalation attack. This type of vulnerability is used to facilitate remote code execution, which allows hackers to run harmful commands on someone else’s computer without being near it. This attack method is often used to escalate a user’s privilege, granting them greater control over the system and all of its information.

Microsoft reports that, in theory, an attacker could take advantage of these vulnerabilities at the same time. Using CVE-2022-41040, an attacker could remotely trigger CVE-2022-41082. While these threats are concerning, Microsoft states that any malicious actor wishing to exploit these vulnerabilities would need to gain authenticated access to the vulnerable Exchange Server first. Though this is not a solution, it means that the number of potential attackers is limited.

Since these are both “zero-day” vulnerabilities, Microsoft is quickly learning as much as it can about how to protect against them with its Defender antivirus and endpoint detection malware software. Presently, our suggestion for all D2 partners is to continue to install updates as they become available.
Microsoft Exchange Server customers should turn on cloud-delivered protection in Microsoft defender, turn on tamper protection, run EDR in block mode, fully enable network protection, investigation, and remediation, and use device discovery.

Share this post